Closed
Bug 848535
(CVE-2013-1694)
Opened 12 years ago
Closed 12 years ago
Use of PreserveWrapper in cases when we don't have a wrapper seems broken
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
People
(Reporter: bzbarsky, Assigned: smaug)
Details
(Keywords: sec-high, Whiteboard: [qa-][adv-main22+][adv-esr1707+])
Attachments
(2 files, 1 obsolete file)
|
2.24 KB,
patch
|
mccr8
:
review+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
|
2.17 KB,
patch
|
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
lsblakk
:
approval-mozilla-esr17+
akeybl
:
approval-mozilla-b2g18+
|
Details | Diff | Splinter Review |
Consider the following scenario:
1) XHR starts.
2) Its wrapper, if any, is collected.
3) A C++ readystatechange listener calls GetResponse, and the response type is
JSON or arraybuffer. This causes nsXMLHttpRequest::RootJSResultObjects to be
called, which calls PreserveWrapper.
4) JS touches the XHR object, causing it to be wrapped, which calls
nsWrapperCache::SetWrapper().
In a debug build this will assert fatally. In an opt build this will clear the preserved-wrapper flag on the wrapper cache, which seems bad.
Should we just preserve that flag on SetWrapper and remove the assert in that method, perhaps? Alternately, we should stop using PreserveWrapper to mean "hold JS objects" in XHR.
Note that the above scenario is pretty simple to produce with a worker XHR if extension JS can ever touch the main-thread nsXMLHttpRequest of it, as far as I can tell.
|
Assignee | |
Comment 1•12 years ago
|
||
nsDOMFileReader is possibly similarly broken.
|
|
Assignee | |
Comment 4•12 years ago
|
||
This should do it. Technically drop in unlink isn't absolutely needed, but
we do drop preserved wrapper there too if there is such (in nsDOMEventTargetHelper). These aren't super perf critical so extra drop isn't too bad.
Attachment #746645 -
Flags: review?(continuation)
|
|
Assignee | |
Comment 5•12 years ago
|
||
But then, drop in unlink is rather useless... I'll remove it
|
|
Assignee | |
Comment 6•12 years ago
|
||
Attachment #746645 -
Attachment is obsolete: true
Attachment #746645 -
Flags: review?(continuation)
Attachment #746648 -
Flags: review?(continuation)
|
||
Updated•12 years ago
|
Attachment #746648 -
Flags: review?(continuation) → review+
|
|
Assignee | |
Comment 7•12 years ago
|
||
Comment on attachment 746648 [details] [diff] [review]
patch
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
As of now we don't know any exploit, but I don't think constructing one is too difficult.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
commit will be about simpler js object holding
Which older supported branches are affected by this flaw?
all
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
backports should be almost the same
How likely is this patch to cause regressions; how much testing does it need?
Should be relatively safe
Attachment #746648 -
Flags: sec-approval?
|
||
Comment 8•12 years ago
|
||
sec-approval+ for m-c on 5/14 after we branch and ship. Please prepare and nominate branch patches as well.
status-firefox20:
--- → affected
status-firefox21:
--- → affected
status-firefox22:
--- → affected
status-firefox23:
--- → affected
status-firefox-esr17:
--- → affected
tracking-firefox22:
--- → +
tracking-firefox23:
--- → +
tracking-firefox-esr17:
--- → +
Whiteboard: [checkin after 5/14]
|
|
||
Updated•12 years ago
|
Attachment #746648 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Comment 9•12 years ago
|
||
|
||
Comment 10•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
status-b2g18:
--- → ?
status-b2g18-v1.0.1:
--- → ?
status-firefox24:
--- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
|
|
||
Updated•12 years ago
|
Whiteboard: [checkin after 5/14]
|
|
Assignee | |
Comment 13•12 years ago
|
||
This patch seems to apply to branches. esr17 needs --fuzz=4
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Something ancient
User impact if declined: Possible GC/CC related crashes
Testing completed (on m-c, etc.): landed to m-c 2013-05-15
Risk to taking this patch (and alternatives if risky): Shouldn't be risky
String or IDL/UUID changes made by this patch: NA
Attachment #752297 -
Flags: approval-mozilla-esr17?
Attachment #752297 -
Flags: approval-mozilla-beta?
Attachment #752297 -
Flags: approval-mozilla-b2g18?
Attachment #752297 -
Flags: approval-mozilla-aurora?
|
||
Comment 14•12 years ago
|
||
Comment on attachment 752297 [details] [diff] [review]
for branches
approving for desktop branches, holding off on b2g18 until we know if this needs to be uplifted to v1.0.1 - since it's only sec-high, I suspect it does not but will wait for confirmation.
Attachment #752297 -
Flags: approval-mozilla-esr17?
Attachment #752297 -
Flags: approval-mozilla-esr17+
Attachment #752297 -
Flags: approval-mozilla-beta?
Attachment #752297 -
Flags: approval-mozilla-beta+
Attachment #752297 -
Flags: approval-mozilla-aurora?
Attachment #752297 -
Flags: approval-mozilla-aurora+
|
|
||
Updated•12 years ago
|
|
|
||
Comment 15•12 years ago
|
||
|
||
Updated•12 years ago
|
|
|
||
Updated•12 years ago
|
Attachment #752297 -
Flags: approval-mozilla-b2g18? → approval-mozilla-b2g18+
|
|
||
Comment 16•12 years ago
|
||
status-b2g18-v1.0.0:
--- → wontfix
|
||
Comment 17•12 years ago
|
||
Based on the steps in comment 0 and the lack of an existing test case, we're going to mark this qa- for verification purposes. If that changes, remove qa- and/or let us know how we could otherwise verify fixed. Thanks.
Whiteboard: [qa-]
|
|
||
Updated•12 years ago
|
Whiteboard: [qa-] → [qa-][adv-main22+][adv-esr1707+]
|
|
||
Updated•12 years ago
|
Alias: CVE-2013-1694
|
||
Updated•10 years ago
|
Group: core-security
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•